SSH command execution and SFTP file transfer using paramiko in Python

11 Aug 2022 - tsp
Last update 21 Sep 2022
Reading time 6 mins

Disclaimer: This blog entry is more of a note of some simple recipes used over and over again.

Introduction

Sometimes one has some Python scripts running and wants to transfer data to or fetch data from a remote machine - or simply execute commands. The best way to run commands on remote machines usually is SSH, the best ways for file transfer SFTP, SCP or simply copying to an NFS share (or of course using WebDAV / DeltaV). A simple method to realize this is the usage of the excellent paramiko library - this is a Python implementation of the SSHv2 protocol that builds on top of the cryptography package for native cryptography primitives.

This library is pretty flexible - this short blog entry will only show the most basic usage and also assumes that one wants to use public key based authentication for the remote user. As soon as one has grasped the basic ideas one can figure out everything necessary from the excellent documentation.

Installation

One can directly install paramiko from PyPi:

pip install paramiko

Importing the library, loading the private key file

First as usual one has to import the library:

import paramiko

Then one can use the RSAKey.from_private_key_file method to load the private key part for authentication:

try:
    sshkey = paramiko.RSAKey.from_private_key_file("/path/to/keyfile")
except IOError:
    # The file has not been found or any other kind of I/O error has happened
    pass
except PasswordRequiredException:
    # No password has been supplied by the keyfile is password protected
    pass
except SSHException
    # Keyfile is invalid
    pass

To supply a password one can add the password argument to the from_private_key_file method. Please keep in mind that handling passwords usually should be done with care - using separate memory locations that are not pageable, etc. - this is pretty hard to do correct from Pythons environment.

Executing remote commands

To execute remote commands one just has to:

Host key handling tells the client how to react when one sees an unknown or changed remote host key. The typical policies are:

# First load the SSHKey - see above for details:
sshkey = paramiko.RSAKey.from_private_key_file("/path/to/keyfile")

# Create the SSH client and setup handling of new host keys
sshClient = paramiko.SSHClient()
sshClient.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# Connect to the remote host
sshClient.connect("203.0.113.1", username = "example", pkey = sshkey)

To execute commands one uses the exec_command method that returns a tuple of the standard pipes:

stdin, stdout, stderr = sshClient.exec_command(command)

To dump all information sent by a client and simply terminate afterwards one can dump information from stdout and invoke all destructors on the pipes. Note that this is required!:

stdin, stdout, stderr = sshClient.exec_command("uname -a")
print(stdout.read())
del stdin, stdout, stderr

In the end one has to close the client:

sshClient.close()

File transfer via SFTP

To transfer files one can use the sftp subsystem of SSH. Paramiko provides a full blown implementation of the SFTP protocol including directory traversal, permission management, reading and writing files without storing them locally, etc. The following example will limit itself to uploading and downloading of files as well as deleting and listing.

Bootstrapping of the public key, client instantiating and connecting works the same as before:

# First load the SSHKey - see above for details:
sshkey = paramiko.RSAKey.from_private_key_file("/path/to/keyfile")

# Create the SSH client and setup handling of new host keys
sshClient = paramiko.SSHClient()
sshClient.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# Connect to the remote host
sshClient.connect("203.0.113.1", username = "example", pkey = sshkey)

Then one has to open the SFTP client:

sftpClient = sshClient.open_sftp()

Upload and download

Both methods allow one to set a callback = callable that receives two integer parameters callback(bytesTransferred, bytesTotal). One could use this to provide status updates for example:

def showTransferStatus(bytesTransferred, bytesTotal):
    print(f"{bytesTransferred} out of {bytesTotal} bytes transferred")

sftpClient.put("/local/source", "/remote/destination", callback = showTransferStatus)

Delete

To delete a file one can simply call the remove function:

sftpClient.remove("/path/remote")

Listing files

There are a variety of methods to list files on the remote machine using the SFTP client. The easiest for small directories is listdir(path = '.'). This method returns a simple Python list containing all filenames and directory names on the remote side. It does not contain entries for . and .. though.

print(sftpClient.listdir())

In case one also wants to receive the attributes one might use listdir_attr(path = '.'). This returns an wrapper containing additional information per entry:

A more advanced method to list files uses an iterator / generator pattern. This method is called listdir_iter(path = '.', read_aheads = 50). This method can be used in a typical iterator pattern like a for each loop:

for f in sftpClient.listdir_iter():
	print(f.filename)

The objects iterated over have the same structure as the result of listdir_attr.

Shutting down

In the end the SFTP client as well as the SSH client has to be shut down:

sftpClient.close()
sshClient.close()

This article is tagged: Python, Basics, Programming

Related articles

Using pycryptodomex for encryption and signing (PKCS1 OAEP and PSS) in Python

This is a short summary or rather recipe collection on how to use ```pycryptodomex``` for some simple encryption and decryption procedures using RSA with the OAEP schemes from ```PKCS#1``` as well as signing and verification routines using the PSS scheme.

Controlling Pfeiffer Turbopumps using RS485

Pfeiffer makes great turbopumps but sometimes you want to log information or control them from an existing control system. Out of this desire I played around with the RS485 protocol used by Pfeiffer and wrote some simple unofficial tools - that's what this blog entry is about

Runtime swapable and upgrade-able modules in ANSI C

This article describes an trick that I'm using in some of my applications to allow one to exchange modules or plugins inside an application at application runtime as well as keeping old versions active as long as they're required.

Implementing a simple websocket server in Python

This is a simple short summary on how one can build a websocket server for use with ones JavaScript web application in Python using asyncio and websockets package

Using RaspberryPis I2C from Python

This article gives a short summary on the way to interface with the I2C bus on RaspberryPi using Python by using a thin wrapper around the ioctl calls supported by FreeBSD. In addition it introduces a small PyPi package that supplies this thin wrapper.

Building a TCP console server for Windows and FreeBSD

A common problem in industry and laboratories - accessing a serial port via the network to allow multiple machines or VMs access the same physical serial port. This blog post explains how to build such an console server on a FreeBSD host offering physical serial ports an FreeBSD as well as Windows clients who are able to access the ports like local ones.

Using an Raspberry-Pi as UMTS/LTE gateway

Since a friend required this - a short write up on how to use your Raspberry-Pi (with FreeBSD) with an UMTS/LTE modem to provide internet connectivity to your local network.

mini-apigw: A Lightweight Gateway for Multi-Model AI Infrastructure

mini-apigw is a lightweight, locally controlled OpenAI-compatible API gateway that unifies multiple AI backends such as OpenAI, Anthropic, Ollama, vLLM, and Fooocus under one clean endpoint. It restores sanity in a world where every AI service assumes exclusive control of your GPU by adding arbitration, per-app governance, and transparent configuration through simple JSON files - no dashboards, no Kubernetes, no bloat. Designed for small labs, research environments, and hobby clusters, mini-apigw behaves like an old-school UNIX daemon: minimal, reliable, and easy to reason about. It lets you run modern LLMs and image models side by side with full control over access, security, and resources - all while keeping your infrastructure as lean and transparent as possible and using just a single API.

Also on this blog

Expanding GPU Capabilities on Notebooks and Mini PCs Without PCIe Slots via M.2 NVMe Slots

Ever wondered if your compact notebook or mini PC could power serious AI, LLMs, or scientific simulations? In this guide, we show you how to retrofit systems without PCIe slots using M.2 NVMe adapters and GPU expansion boardsโ€”enabling multi-GPU setups even on budget hardware. While not a full desktop replacement, this approach offers surprising performance for specific workloads. Perfect for tinkerers, researchers, and hardware hackers.

Running JupyterLab Behind an Apache Reverse Proxy

Want to access your internal JupyterLab instance securely over HTTPS? This quick guide shows how to set up Apache 2.4 as a reverse proxy for JupyterLab 4.2.5, with working websocket support and proper configuration on both ends. Learn how to avoid common pitfalls like broken kernels or missing outputโ€”and get your lab running smoothly behind your own public facing reverse proxy

Short Kalman filter summary

A short summary about Kalman filtering

Recipe how to recover Jenkins plain secret text credential via the web user interface

This short recipe explains how one can recover a Jenkins secret text credential directly using only the web interface

Data protection policy

Dipl.-Ing. Thomas Spielauer, Wien (webcomplains389t48957@tspi.at)

This webpage is also available via TOR at http://rh6v563nt2dnxd5h2vhhqkudmyvjaevgiv77c62xflas52d5omtkxuid.onion/

Valid HTML 4.01 Strict Powered by FreeBSD IPv6 support